diff options
| author | Bernhard Posselt <dev@bernhard-posselt.com> | 2016-05-10 17:34:00 +0200 |
|---|---|---|
| committer | Bernhard Posselt <dev@bernhard-posselt.com> | 2016-05-10 17:34:00 +0200 |
| commit | 9a3c1c71824723d4b369df9b412fd0a7d6f08ac5 (patch) | |
| tree | 1af699d10e0e679129fee2f84d01f5d88fe46dad | |
| parent | 1bc7a4907ac3f15f57a5076b4c74b887da0af204 (diff) | |
Fix window.opener vulnerability
| -rw-r--r-- | CHANGELOG.md | 3 | ||||
| -rw-r--r-- | js/gui/KeyboardShortcuts.js | 4 | ||||
| -rw-r--r-- | templates/index.php | 3 | ||||
| -rw-r--r-- | templates/part.content.cronwarning.php | 6 | ||||
| -rw-r--r-- | templates/part.content.explore.php | 4 | ||||
| -rw-r--r-- | templates/part.settings.php | 4 |
6 files changed, 18 insertions, 6 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index cc5512b1b..91eff4177 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +owncloud-news (8.7.5) +* **Security (High)**: Fix security bug that would allow websites to access your DOM document when using keyboard shortcuts to open an article in a new tab, downloading audio files, opening links on the explore page or opening links to the ownCloud documentation (News app versions prior to 5.0.0 are also vulnerable when clicking on any link in the title or article body). This gives any attacker access to all data on the DOM. This allows them to make arbitrary requests to the ownCloud server on the user's behalf, bypassing CSRF protection and gaining full access to their account by stealing their login cookies. For a more detailed explanation [https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c#.h55ny7ef0](visit this website) + owncloud-news (8.7.4) * **Bugfix**: Fix expand in compact view mode, #988 diff --git a/js/gui/KeyboardShortcuts.js b/js/gui/KeyboardShortcuts.js index c90f3bc70..9e32a15b3 100644 --- a/js/gui/KeyboardShortcuts.js +++ b/js/gui/KeyboardShortcuts.js @@ -263,7 +263,9 @@ var openLink = function (scrollArea) { onActiveItem(scrollArea, function (item) { item.trigger('click'); // mark read - window.open(item.find('.external:visible').attr('href'), '_blank'); + var url = item.find('.external:visible').attr('href'); + var newWindow = window.open(url, '_blank'); + newWindow.opener = null; }); }; diff --git a/templates/index.php b/templates/index.php index b87908139..aa00aed2c 100644 --- a/templates/index.php +++ b/templates/index.php @@ -92,7 +92,8 @@ foreach (Plugin::getScripts() as $appName => $fileName) { <audio controls autoplay ng-src="{{ App.playingItem.enclosureLink|trustUrl }}" news-play-one></audio> <a class="button podcast-download" title="<?php p($l->t('Download')) ?>" ng-href="{{ App.playingItem.enclosureLink|trustUrl }}" - target="_blank"></a> + target="_blank" + rel="noreferrer"></a> <button class="podcast-close" title="<?php p($l->t('Close')) ?>" ng-click="App.playingItem = false"></button> </div> diff --git a/templates/part.content.cronwarning.php b/templates/part.content.cronwarning.php index 3adfee2b7..4e3222812 100644 --- a/templates/part.content.cronwarning.php +++ b/templates/part.content.cronwarning.php @@ -4,7 +4,8 @@ <ul> <li> <a href="https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/background_jobs_configuration.html#cron" - target="_blank"> + target="_blank" + rel="noreferrer"> <?php p($l->t('How to set up the operating system cron')); ?> @@ -12,7 +13,8 @@ </li> <li> <a href="https://github.com/owncloud/news-updater" - target="_blank"> + target="_blank" + rel="noreferrer"> <?php p($l->t('Install and set up a faster parallel updater that uses the News app\'s update API')); ?> diff --git a/templates/part.content.explore.php b/templates/part.content.explore.php index 3eab49751..e1871152c 100644 --- a/templates/part.content.explore.php +++ b/templates/part.content.explore.php @@ -25,7 +25,7 @@ <div class="grid-item-content"> <h1 ng-show="entry.favicon" ng-style="{ backgroundImage: 'url(' + entry.favicon + ')'}"> - <a target="_blank" ng-href="{{ entry.url }}">{{ entry.title }}</a> + <a target="_blank" rel="noreferrer" ng-href="{{ entry.url }}">{{ entry.title }}</a> </h1> <h1 ng-hide="entry.favicon" class="icon-rss"> {{ entry.title }} @@ -48,6 +48,6 @@ </div> <div class="explore-footer"> - <a target="_blank" href="https://github.com/owncloud/news/wiki/Explore-Feed-Section"><?php p($l->t('Got more awesome feeds? Share them with us!')) ?></a> + <a target="_blank" rel="noreferrer" href="https://github.com/owncloud/news/wiki/Explore-Feed-Section"><?php p($l->t('Got more awesome feeds? Share them with us!')) ?></a> </div> </div> diff --git a/templates/part.settings.php b/templates/part.settings.php index eaabb33b3..533fafda4 100644 --- a/templates/part.settings.php +++ b/templates/part.settings.php @@ -78,6 +78,7 @@ class="button icon-download svg button-icon-label" href="<?php p(\OCP\Util::linkToRoute('news.export.opml')); ?>" target="_blank" + rel="noreferrer" ng-hide="App.isFirstRun()"> </a> @@ -119,6 +120,7 @@ class="button icon-download svg button-icon-label" href="<?php p(\OCP\Util::linkToRoute('news.export.articles')); ?>" target="_blank" + rel="noreferrer" ng-hide="App.isFirstRun()"> </a> <button @@ -144,10 +146,12 @@ <p> <a target="_blank" + rel="noreferrer" href="https://github.com/owncloud/news/wiki"><?php p($l->t('Documentation')); ?></a> </p> <p> <a target="_blank" + rel="noreferrer" href="https://github.com/owncloud/news/issues/new"><?php p($l->t('Report a bug')); ?></a> </p> |